Merge pull request #132 from tomato42/alpn

Support for ALPN extension from RFC 7301

Author: tomato42

scripts/tls.py

@@ -76,11 +76,13 @@ def printUsage(s=None):
     [--reqcert] HOST:PORT
 
   client
-    [-k KEY] [-c CERT] [-u USER] [-p PASS] [-l LABEL] [-L LENGTH]
+    [-k KEY] [-c CERT] [-u USER] [-p PASS] [-l LABEL] [-L LENGTH] [-a ALPN]
     HOST:PORT
 
   LABEL - TLS exporter label
   LENGTH - amount of info to export using TLS exporter
+  ALPN - name of protocol for ALPN negotiation, can be present multiple times
+         in client to specify multiple protocols supported
 """)
     sys.exit(-1)
 
@@ -109,6 +111,7 @@ def handleArgs(argv, argString, flagsList=[]):
     directory = None
     expLabel = None
     expLength = 20
+    alpn = []
 
     for opt, arg in opts:
         if opt == "-k":
@@ -142,9 +145,14 @@ def handleArgs(argv, argString, flagsList=[]):
             expLabel = arg
         elif opt == "-L":
             expLength = int(arg)
+        elif opt == "-a":
+            alpn.append(bytearray(arg, 'utf-8'))
         else:
             assert(False)
-            
+
+    # when no names provided, don't return array
+    if not alpn:
+        alpn = None
     if not argv:
         printError("Missing address")
     if len(argv)>1:
@@ -178,6 +186,8 @@ def handleArgs(argv, argString, flagsList=[]):
         retList.append(expLabel)
     if "L" in argString:
         retList.append(expLength)
+    if "a" in argString:
+        retList.append(alpn)
     return retList
 
 
@@ -216,6 +226,9 @@ def printGoodConnection(connection, seconds):
             emptyStr = "\n  (via TACK Certificate)" 
         print("  TACK: %s" % emptyStr)
         print(str(connection.session.tackExt))
+    if connection.session.appProto:
+        print("  Application Layer Protocol negotiated: {0}".format(
+            connection.session.appProto.decode('utf-8')))
     print("  Next-Protocol Negotiated: %s" % connection.next_proto) 
     print("  Encrypt-then-MAC: {0}".format(connection.encryptThenMAC))
     print("  Extended Master Secret: {0}".format(
@@ -233,8 +246,8 @@ def printExporter(connection, expLabel, expLength):
 
 def clientCmd(argv):
     (address, privateKey, certChain, username, password, expLabel,
-            expLength) = \
-        handleArgs(argv, "kcuplL")
+            expLength, alpn) = \
+        handleArgs(argv, "kcuplLa")
 
     if (certChain and not privateKey) or (not certChain and privateKey):
         raise SyntaxError("Must specify CERT and KEY together")
@@ -261,7 +274,7 @@ def clientCmd(argv):
                 settings=settings, serverName=address[0])
         else:
             connection.handshakeClientCert(certChain, privateKey,
-                settings=settings, serverName=address[0])
+                settings=settings, serverName=address[0], alpn=alpn)
         stop = time.clock()        
         print("Handshake success")        
     except TLSLocalAlert as a:
@@ -342,6 +355,7 @@ def handshake(self, connection):
                                               sessionCache=sessionCache,
                                               settings=settings,
                                               nextProtos=[b"http/1.1"],
+                                              alpn=[bytearray(b'http/1.1')],
                                               reqCert=reqCert)
                                               # As an example (does not work here):
                                               #nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])

tlslite/constants.py

@@ -118,6 +118,7 @@ class ExtensionType:    # RFC 6066 / 4366
     ec_point_formats = 11 # RFC 4492
     srp = 12            # RFC 5054
     signature_algorithms = 13 # RFC 5246
+    alpn = 16  # RFC 7301
     client_hello_padding = 21 # RFC 7685
     encrypt_then_mac = 22 # RFC 7366
     extended_master_secret = 23 # RFC 7627
@@ -283,6 +284,7 @@ class AlertDescription(TLSEnum):
     unsupported_extension = 110  # RFC 5246
     unrecognized_name = 112  # RFC 6066
     unknown_psk_identity = 115
+    no_application_protocol = 120  # RFC 7301
 
 
 class CipherSuite:

tlslite/extensions.py

@@ -1161,6 +1161,93 @@ def parse(self, parser):
 
         return self
 
+
+class ALPNExtension(TLSExtension):
+    """
+    Handling of Application Layer Protocol Negotiation extension from RFC 7301.
+
+    @type protocol_names: list of bytearrays
+    @ivar protocol_names: list of protocol names acceptable or selected by peer
+
+    @type extType: int
+    @ivar extType: numberic type of ALPNExtension, i.e. 16
+
+    @type extData: bytearray
+    @ivar extData: raw encoding of the extension data
+    """
+
+    def __init__(self):
+        """
+        Create instance of ALPNExtension
+
+        See also: L{create} and L{parse}
+        """
+        super(ALPNExtension, self).__init__(extType=ExtensionType.alpn)
+
+        self.protocol_names = None
+
+    def __repr__(self):
+        """
+        Create programmer-readable representation of object
+
+        @rtype: str
+        """
+        return "ALPNExtension(protocol_names={0!r})".format(self.protocol_names)
+
+    @property
+    def extData(self):
+        """
+        Return encoded payload of the extension
+
+        @rtype: bytearray
+        """
+        if self.protocol_names is None:
+            return bytearray(0)
+
+        writer = Writer()
+        for prot in self.protocol_names:
+            writer.add(len(prot), 1)
+            writer.bytes += prot
+
+        writer2 = Writer()
+        writer2.add(len(writer.bytes), 2)
+        writer2.bytes += writer.bytes
+
+        return writer2.bytes
+
+    def create(self, protocol_names=None):
+        """
+        Create an instance of ALPNExtension with specified protocols
+
+        @type protocols: list of bytearray
+        @param protocols: list of protocol names that are to be sent
+        """
+        self.protocol_names = protocol_names
+        return self
+
+    def parse(self, parser):
+        """
+        Parse the extension from on the wire format
+
+        @type parser: L{tlslite.util.codec.Parser}
+        @param parser: data to be parsed as extension
+
+        @raise SyntaxError: when the encoding of the extension is self
+            inconsistent
+
+        @rtype: L{ALPNExtension}
+        """
+        self.protocol_names = []
+        parser.startLengthCheck(2)
+        while not parser.atLengthCheck():
+            name_len = parser.get(1)
+            self.protocol_names.append(parser.getFixBytes(name_len))
+        parser.stopLengthCheck()
+        if parser.getRemainingLength() != 0:
+            raise SyntaxError("Trailing data after protocol_name_list")
+        return self
+
+
 TLSExtension._universalExtensions = \
     {
         ExtensionType.server_name: SNIExtension,
@@ -1169,6 +1256,7 @@ def parse(self, parser):
         ExtensionType.ec_point_formats: ECPointFormatsExtension,
         ExtensionType.srp: SRPExtension,
         ExtensionType.signature_algorithms: SignatureAlgorithmsExtension,
+        ExtensionType.alpn: ALPNExtension,
         ExtensionType.supports_npn: NPNExtension,
         ExtensionType.client_hello_padding: PaddingExtension,
         ExtensionType.renegotiation_info: RenegotiationInfoExtension}

tlslite/session.py

@@ -46,6 +46,10 @@ class Session(object):
     @type encryptThenMAC: bool
     @ivar encryptThenMAC: True if connection uses CBC cipher in
     encrypt-then-MAC mode
+
+    @type appProto: bytearray
+    @ivar appProto: name of the negotiated application level protocol, None
+    if not negotiated
     """
 
     def __init__(self):
@@ -61,11 +65,13 @@ def __init__(self):
         self.resumable = False
         self.encryptThenMAC = False
         self.extendedMasterSecret = False
+        self.appProto = bytearray(0)
 
     def create(self, masterSecret, sessionID, cipherSuite,
                srpUsername, clientCertChain, serverCertChain,
                tackExt, tackInHelloExt, serverName, resumable=True,
-               encryptThenMAC=False, extendedMasterSecret=False):
+               encryptThenMAC=False, extendedMasterSecret=False,
+               appProto=bytearray(0)):
         self.masterSecret = masterSecret
         self.sessionID = sessionID
         self.cipherSuite = cipherSuite
@@ -78,6 +84,7 @@ def create(self, masterSecret, sessionID, cipherSuite,
         self.resumable = resumable
         self.encryptThenMAC = encryptThenMAC
         self.extendedMasterSecret = extendedMasterSecret
+        self.appProto = appProto
 
     def _clone(self):
         other = Session()
@@ -93,6 +100,7 @@ def _clone(self):
         other.resumable = self.resumable
         other.encryptThenMAC = self.encryptThenMAC
         other.extendedMasterSecret = self.extendedMasterSecret
+        other.appProto = self.appProto
         return other
 
     def valid(self):